CVE-2016-7777 — xen - security update

Description

Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it.

How to fix CVE-2016-7777

To remediate CVE-2016-7777, upgrade the affected package to a fixed version below.

—upgrade to 4.7.0-r5 or later
—upgrade to 4.8.0~rc3-1 or later
—upgrade to 4.1.6.lts1-3 or later
—upgrade to 4.4.1-9+deb8u8 or later

Is CVE-2016-7777 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 4.7.0-r5
from 0, < 4.8.0~rc3-1
from 0, < 4.1.6.lts1-3
from 0, < 4.4.1-9+deb8u8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2016-7777
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-7777